Internal

Sysenter Chapter - Chapter Status Report for 2014

The Sysenter Chapter was founded in August 2010 and currently consists of the following people:

André Vorbach

Andrea De Pasquale

Angelo Dell'Aera

Charlie Hurel

Gianluca Guida

Guido Landi

Jeff Nathan

Jose Miguel Esparza

Markus Schmall

Patrik Lantz

Pietro Delsante

Roberto Tanara

Sebastian Pöplau

Will Metcalf

Yuriy Khvyl

The Chapter members are interested in research projects covering the following topics:

Automated botnet tracking

Low-interaction client honeypots

Automated malware collection and analysis systems

Distributed honeynet deployment, operation and data analysis

Intrusion detection

Reverse engineering

Mobile malware analysis

Virtualization

Computer forensics

DEPLOYMENTS

We have deployed several Honeeebox sensors. Recorded attacks and malware samples are submitted to HPFeeds.

RESEARCH AND DEVELOPMENT

We are currenty developing Thug, a Python low-interaction honeyclient. A lot of intestering feature were added during 2014 such as Thug plugins for PDF and JAR analysis. We are currently planning of adding new features related to web client tracking detection.

We have contributed to the Conpot project, by developing the management interface of the Kamstrup smart meter device.

We studied some samples of mobile malware and some exploit kits serving APKs instead of regular PE executables. We found some evidences even in the very first days of 2015 but we got them too late to reach the APKs.

We have been studying the behaviour of the Dridex infostealer malware, finding a way to automatically dump its configuration and analyze it through Cuckoo.

We are developing LightTower, a monitoring/scan solution based on Thug, Arachni, Docker, etc. Idea is to scan webpages constantly for threats.

We started a new project called Rumal, aimed to be a simple web GUI for Thug (it can be run on a local machine with a single user), but also as a sort of social network where you can share your analyses, results and metadata with others. Rumal is currently under heavy development and will be released as an opensource project as soon as it reaches the alpha stage.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

We held a invited lecture on honeyclient technologies during EuroSec 2014 (European Workshop on Systems Security) held on the 13th of April, 2014, in Amsterdam, The Netherlands. This also gave us the opportunity to promote GSoC and The Honeynet Project for the students.

Moreover we were frequently engaged for educational presentations or for teaching university classes on new emerging threats-related topics.

GOALS

In 2015 we would like to continue improving the tools we have already released (see Section "Research and Development" for further details).

We would also like to revive our Cuckoo deployment, bringing it back to full operation and adding new analyzers to it.

MISC

We are currently involved in maintaining the Honeynet Project infrastructure.

We are currently involved in planning and organizing the Honeynet Project Workshop 2015 to be held in Stavanger, Norway.

We are involved in the design and implementation of the KYM (Know Your Mates) project, with the goal of fostering collaboration among Honeynet members.